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DETAILED ACTION 

1 . This communication is responsive to the Amendment filed 7 December 2007. 

2. Claims 1-31 are pending in this application. Claims 1,16 and 31 are 
independent. In the Amendment filed 7 December 2007, claims 1 , 5, 15, 16, 20, 30 and 
31 have been amended. This action is made Non-Final due to the introduction of a new 
rejection under 35 U.S.C 101 . • 

3. The rejections of claims 1 -5, 8, 9, 1 1 -20, 23, 24 and 26-31 as being unpatentable 
over US Patent No. 6,947,933 to Smoisky in view of US PGPub 2004/009861 7 to Sekar 
et al and claims 6, 7, 10, 21 , 22 and 25 as being unpatentable over US Patent No. 
6,947.933 to Smoisky in view of US PGPub 2004/009861 7 to Sekar et al in view of US 
Patent No 6,625,585 to MacCuish et al have been withdrawn. 

Claim Rejections • 35 USC § 101 

4. 35 U.S.C. 101 reads as follows: 

Whoever invents or discovers any new and useful process, machine, manufacture, or composition of 
matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the 
conditions and requirements of this title. 

5. The rejections of claims 1-15 because the claimed invention is directed to non- 
statutory subject matter have been withdrawn as necessitated by amendment. 

6. Claim 31 is rejected under 35 U.S.C. 101 because the claimed invention is 
directed to non-statutory subject matter. 

Claim 31 recites an article of manufacture for monitoring abnomnalities in a data 
stream, comprising a machine readable medium containing one or more programs 
which when executed implement steps. 
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This claimed subject matter lacl^s a practical application of a judicial exception 
(law of nature, abstract Idea, naturally occurring article/phenomenon) since it fails to 
produce a useful, concrete and tangible result. 

Specifically, the claimed subject matter does not produce a tangible result 
because the claimed subject matter falls to produce a result that is limited to having real 
world value rather than a result that may be interpreted to be abstract in nature as, for 
example, a thought, a computation, or manipulated data. More specifically, the claimed 
subject matter provides for changing values of the node if the node exists. However, it 
Is unclear what the tangible result is if the node does not exist and thus, falls to achieve 
the required status of having real world value. 

It Is suggested that claim 31 be amended to be consistent with claim 1 , since the 
method of claim 1 provides a tangible result. 

To allow for compact prosecution, the examiner will apply prior art to these 
claims as best understood, with the assumption that applicant will amend to overcome 
the stated 101 rejections. 

Claim Rejections - 35 USC § 103 

7. The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the Invention is not Identically disclosed or described as set 
forth In section 102 of this title, if the differences between the subject matter sought to be patented and 
the prior art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 
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8. This application currently names joint inventors. In considering patentability of 
the claims under 35 U.S.C. 103(a), the examiner presumes that the subject matter of 
the various claims was commonly owned at the time any Inventions covered therein 
were made absent any evidence to the contrary. Applicant Is advised of the obligation 
under 37 CFR 1 .56 to point out the inventor and invention dates of each claim that was 
not commonly owned at the time a later invention was made in order for the examiner to 
consider the applicability of 35 U.S.C. 103(c) and potential 35 U.S.C. 102(e), (f) or (g) 
prior art under 35 U.S.C. 103(a). 

9. Claims 1-6, 9, 12, 16-21 , 24 and 27 are rejected under 35 U.S.C. 103(a) as 
being unpatentable over US PGPub 2002/0161763 to Ye et al (hereafter Ye) in view 
of US PGPub 2002/0107858 to Lundahl et al (hereafter Lundahl). 

Referring to claim 1, Ye discloses a method for monitoring abnormalities in a 
data stream (see abstract and [0030]), comprising the steps of: 

receiving a plurality of objects in the data stream [stream of data] (see [0035], 
lines 5-8); 

creating one or more clusters from the plurality of objects (see [0035], lines 10- 
1 3), wherein at least a portion of each of the one or more clusters comprises statistical 
data [sample variance, sample covariance and sample mean] representative of the 
respective cluster (see [0041]); 

Ye discloses clustering objects and detemiining if an object is abnormal 
compared to a distance value (see [0157]-[0170]), however. Ye fails to explicitly 
disclose the further limitations of determining from the statistical data whether each of 
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the one or more clusters is abnormal when compared to a predefined value and 
reporting at least one of the one or more clusters as an abnomial cluster of objects in 
the data stream. Lundahl discloses performing cluster analysis on data in order to 
segment data into appropriate clusters for subsequent processing (see [0010], lines 5- 
8), including the further limitations of determining from the statistical data whether each 
of the one or more clusters is abnormal when compared to a predefined value (see 
[0217]); and reporting [classifying] at least one of the one or more clusters as an 
abnormal cluster of objects in the data stream (see [0217]) in order to improve the 
capability of an intnjsion detection algorithm to be scalable and efficient in the handling 
data in real-time systems. 

It would have been obvious to one of ordinary skill in the to use the features of 
detennining whether an entire cluster is abnormal and reporting that abnormality as 
disclosed by Lundahl using the statistical data determined by Ye. One would have been 
motivated to do so in order to improve the capability of an intrusion detection algorithm 
to be scalable and efficient in the handling data in real-time systems (Ye: see [0010], 
lines 6-8). 

Referring to claim 2, the combination of Ye and Lundahl (hereafter Ye/Lundahl) 
discloses the method of claim 1 , wherein the step of creating one or more clusters 
further comprises: 

computing one or more similarity values for a given object relating to one or more 
existing clusters (Ye: see [0157]-[0162]); and 



Application/Control Number: 1 0/801 ,420 Page 6 

Art Unit: 2167 

determining a closest cluster for the object based on the one or more similarity 
values (Ye: see [0163]). 

Referring to claim 3, Ye/Lundahl discloses the method of claim 2, further 
comprising the steps of: 

determining whether to add the object to the closest cluster (Ye: see [0157- 

[0163]); 

adding the object to the closest cluster when determined and updating the 
statistical data of the closest cluster (Ye: see [0041]-[0042]); and 

creating a new cluster comprising the object when the object Is not added to the 
closest cluster (Smolsky: see column 13, lines 31-35). and generating statistical data of 
the new cluster (Smolsky: see column 9, lines 4-14 and column 14, lines 53 - column 
15. line 2). 

Referring to claim 4. Ye/Lundahl discloses the method of claim 3, wherein the 
step of determining whether to add the object to the closest cluster further comprises 
the step of determining if the similarity value is greater than a user-defined threshold 
(Ye: see [0173]). 

Referring to claim 5. Ye/Lundahl discloses the method of claim 1. wherein the 
step of detemnining from the statistical data whether each of the one or more clusters is 
abnormal further comprises the steps of: 

detennining which clusters present at a first time were not present at a second 
time, wherein the second time is before the first time; determining which of the clusters, 
present at the first time and not present at the second time, contain fewer than a user- 
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defined number of objects; and reporting clusters witfi fewer tlian the user-defined 
number of objects as abnomnalities (Lundalil: see [021 7]). 

Referring to claim 6, Ye/Lundahl discloses the method of claim 1 , wherein the 
statistical data of each cluster is stored using an incremental updating process (Ye: see 
[0154], lines 8-15). 

Referring to claim 9, Ye/Lundahl discloses the method of claim 1 , wherein the 
statistical data of each cluster comprises a number of objects [number of data points] in 
each cluster (Ye: see [01 54], lines 9-13). 

Referring to claim 11, Ye/Lundahl discloses the method of claim 1 , wherein the 
step of creating one or more clusters further comprises the step of applying one or more 
weights to one or more attributes (Ye: see [0174]). 

Referring to claim 12, Ye/Lundahl discloses the method of claim 1 , wherein 
abnomrialities comprise intrusions in a network (Ye: see [0030], lines 10-17). 

Referring to claim 16, Ye discloses an apparatus for monitoring abnormalities in 
a data stream (see abstract and [0030]), comprising: 

a memory (digital storage medium) (see [0026] and Fig 1); and 

at least one processor [computer system] coupled [network] to a memory and 
operative to: 

(i) receive a plurality of objects in the data stream [stream of data] (see 
[0035], lines 5-8) and 

(ii) create one or more clusters from the plurality of objects (see [0035], 
lines 10-13), wherein at least a portion of the one or more clusters comprise 
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statistical data [sample variance, sample covariance and sample mean] of the 
respective cluster (see [0041]). 

Ye discloses clustering objects and detemnining if an object is abnonnal 
compared to a distance value (see [01 57]-[0170]), however. Ye fails to explicitly 
disclose the further limitation of (iii) determine from the statistical data whether each of 
the one or more clusters is abnormal when compared to a predefined value. Lundahl 
discloses performing cluster analysis on data in order to segment data into appropriate 
clusters for subsequent processing (see [0010], lines 5-8), including the further limitation 
of (iii) determine from the statistical data whether each of the one or more clusters is 
abnormal when compared to a predefined value (see [0217]) in order to improve the 
capability of an intmsion detection algorithm to be scalable and efficient in the handling 
data in real-time systems. 

It would have been obvious to one of ordinary skill in the to use the feature of 
determining whether an entire cluster is abnormal and as disclosed by Lundahl using 
the statistical data determined by Ye. One would have been motivated to do so in order 
to improve the capability of an intrusion detection algorithm to be scalable and efficient 
in the handling data in real-time systems (Ye: see [0010], lines 6-8). 

Referring to claim 17, Ye/Lundahl discloses the apparatus of claim 16, wherein 
the operation of creating one or more clusters further comprises: 

computing one or more similarity values for a given object relating to one or more 
existing clusters (Ye: see [0157]-[0162]); and 
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determining a closest cluster for the object based on the one or more similarity 
values (Ye: see [0163]). 

Referring to claim 18, Ye/Lundahl discloses the apparatus of claim 17, further 
comprising: 

detennining whether to add the object to the closest cluster (Ye: see [0157- 
[0163]); 

adding the object to the closest cluster when determined and updating the 
statistical data of the closest cluster (Ye: see [0041]-[0042]); and 

creating a new cluster comprising the object when the object is not added to the 
closest cluster (Smolsky: see column 13, lines 31-35), and generating statistical data of 
the new cluster (Smolsky: see column 9, lines 4-14 and column 14, lines 53 - column 
15, line 2). 

Referring to claim 19, Ye/Lundahl discloses the apparatus of claim 18, wherein 
determining whether to add the object to the closest cluster further comprises the step 
of determining if the similarity value is greater than a user-defined threshold (Ye: see 
[0173]). 

Referring to claim 20, Ye/Lundahl discloses the apparatus of claim 17, wherein 
the operation of determining from the statistical data whether each of the one or more 
clusters is abnomnal further comprises: 

detennining which clusters present at a first time were not present at a second 
time, wherein the second time is before the first time; detennining which of the clusters, 
present at the first time and not present at the second time, contain fewer than a user- 
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defined number of objects: and reporting clusters with fewer than the user-defined 
number of objects as abnomrialities (Lundahl: see [0217]). 

Referring to claim 21, Ye/Lundahl discloses the apparatus of claim 16. wherein 
the statistical data of each cluster is stored using an incremental updating process (Ye: 
see [0154], lines 8-15). 

Referring to claim 24, Ye/Lundahl discloses the apparatus of claim 16, wherein 
the statistical data of each cluster comprises a number of objects [number of data 
points] in each cluster (Ye: see [0154], lines 9-13). 

Referring to claim 26, Ye/Lundahl discloses the apparatus of claim 16, wherein 
the operation of creating one or more clusters further comprises the step of applying 
one or more weights to one or more attributes (Ye: see [0174]). 

Referring to claim 27, Ye/Lundahl discloses the apparatus of claim 16, wherein 
abnormalities comprise intrusions in a network (Ye: see [0030], lines 1 0-1 7). 

Referring to claim 31 , Ye discloses an article of manufacture for monitoring 
abnormalities in a data stream (see abstract and [0030]), comprising a machine 
readable containing one or more programs which when executed implement the steps 
of: 

receiving a plurality of objects in the data stream [stream of data] (see [0035], 
lines 5-8); and 

creating one or more clusters from the plurality of objects (see [0035], lines 10- 
13), wherein at least a portion of each of the one or more clusters comprises statistical 
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data [sample variance, sample covariance and sample mean] representative of the 
respective cluster (see [0041]). 

Ye discloses clustering objects and determining if an object is abnormal 
compared to a distance value (see [0157]-[0170]), however. Ye fails to explicitly 
disclose the further limitation of detenmining from the statistical data whether each of the 
one or more clusters is abnormal when compared to a predefined value. 

Lundahl discloses perfomriing cluster analysis on data in order to segment data 
into appropriate clusters for subsequent processing (see [0010], lines 5-8), including the 
further limitation of determining from the statistical data whether each of the one or 
more clusters is abnormal when compared to a predefined value (see [0217]) (see 
[0217]) in order to improve the capability of an intrusion detection algorithm to be 
scalable and efficient in the handling data in real-time systems. 

It would have been obvious to one of ordinary skill in the to use the feature of 
detenmining whether an entire cluster is abnormal as disclosed by Lundahl using the 
statistical data determined by Ye. One would have been motivated to do so in order to 
improve the capability of an intrusion detection algorithm to be scalable and efficient in 
the handling data in real-time systems (Ye: see [0010], lines 6-8). 
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10. Claims 7, 10, 22 and 25 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over US PGPub 2002/0161763 to Ye et al in view of US PGPub 
2002/0107858 to Lundahl et al as applied respectively to claims 1 and 16 above, 
and further in view of US Patent No 6,625,585 to MacCuish et al (hereafter 
MacCuish et al). 

Referring to claim 7, Ye/Lundahl discloses statistical data. However, 
Ye/Lundahl fails to explicitly disclose the further limitation wherein the statistical data of 
each cluster comprises one or more statistical counts of each pairwise attribute. 
MacCuish et al disclose clustering data (see abstract) Including the further limitation 
wherein the statistical data of each cluster comprises one or more statistical counts of 
each painA/ise attribute (see column 14, lines 44-62) so In order to improve the accuracy 
of calculating the similarity of the clusters. 

It would have been obvious to one of ordinary skill in the art at the time the 
invention was made to utilize pairwise attributes of MacCuish et al as the type of 
statistical data utilized by Ye/Lundahl. One would have been motivated to do so in 
order to improve the accuracy of calculating the similarity of the clusters. 

Referring to claim 10, Ye/Lundahl discloses statistical data. However, 
Ye/Lundahl fails to explicitly disclose the further limitation wherein the statistical data is 
stored periodically at intervals chosen based on a pyramidal distribution. MacCuish et 
al disclose clustering data (see abstract) including the further limitation wherein the 
statistical data is stored periodically at intervals chosen based on a pyramidal 
distribution (see column 14, lines 27-29) since the data being clustered is being 
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transmitted in a stream wliicli means tliat new data is constantly being clustered and 
clustering at a periodic interval decreases utilized system resources. 

It would have been obvious to one of ordinary skill in the art at the time the 
invention was made to utilize the feature of periodically storing the statistics of 
MacCuish et al as the type of statistical data utilized by Ye/Lundahl. One would have 
been motivated to do so since the data being clustered is being transmitted in a stream, 
which means that new data is constantly being clustered and clustering at a periodic 
interval decreases utilized system resources. 

Referring to claim 22, the claim is rejected on the same grounds as claim 7. 

Referring to claim 25, the claim is rejected on the same grounds as claim 10. 

11. Claims 8, 13-15, 23 and 28-30 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over US PGPub 2002/0161763 to Ye et al in view of US PGPub 
2002/0107858 to Lundahl et al as applied respectively to claims 1 and 16 above, 
and further in view of US PGPub 2004/0098617 to Sekar (hereafter Sekar). 

Referring to claim 8, Ye/Lundahl discloses statistical data of each cluster. 
However, Ye/Lundahl fails to explicitly disclose the further limitation wherein the 
statistical data of each cluster comprises one or more statistical counts of each 
categorical attribute. Sekar discloses statistical data, including the further limitation 
wherein the statistical data of each cluster comprises one or more statistical counts of 
each categorical attribute (Sekar: see [0088], lines 1-7) in order to increase the speed 
and efficiency at which intrusions can be detected in a large sample of data. 
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It would have been obvious to one of ordinary skill in the art to use the statistical 
counts of Sel<ar as additional data to the statistical data Ye/Lundahl. One would have 
been motivated to do so in order to Increase the speed and efficiency at which 
intrusions can be detected in a large sample of data. 

Referring to claim 13, Ye/Lundahl discloses abnormalities, which represent 
intrusions in a network. However, Ye/Lundahl fail to explicitly disclose the further 
limitation of wherein the step of receiving a plurality of objects further comprises the 
step of collecting source IP (Internet Protocol) address data, destination IP address data 
and signature data. Sekar discloses, detemilning abnonnalities in data, wherein 
abnormalities comprise intrusions in a network (see abstract), including the further 
limitation of a step of receiving a plurality of objects which comprises a step of collecting 
source IP (Internet Protocol) address data [source address], destination IP address data 
[destination address] and signature data (Smolsky: see column 5, line 34 and line 45) in 
order to increase the speed and efficiency at which intrusions can be detected in a large 
sample of data. 

It would have been obvious to one of ordinary skill in the art to use the IP 
address and signature data collected by Sekar with the data of Ye/Lundahl in order to 
detemine the intrusions in a network. One would have been motivated to do so in 
order to increase the speed and efficiency at which intrusions can be detected in a large 
sample of data. 

Referring to claim 14. Ye/Lundahl discloses abnormalities, which represent 
intrusions in a network and the step of clustering data. However, Ye/Lundahl fail to 
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explicitly disclose the further limitation of wherein the step of creating one or more 
clusters further comprises the step of clustering source IP address data, destination IP 
address data and signature data. Sekar discloses detemriining abnormalities in data, 
wherein abnormalities comprise intrusions in a network (see abstract), including 
collecting source IP (Intemet Protocol) address data [source address], destination IP 
address data [destination address] and signature data (Smolsky: see column 5, line 34 
and line 45) in order to increase the speed and efficiency at which intrusions can be 
detected in a large sample of data. 

It would have been obvious to one of ordinary skill in the art to use the IP 
address and signature data collected by Sekar as the data being clustered by 
Ye/Lundahl. One would have been motivated to do so in order to increase the speed 
and efficiency at which intrusions can be detected in a large sample of data. 

Referring to claim 15, Ye/Lundahl discloses abnomnalities, which represent 
intrusions in a network and the step of determining from statistical data whether 
abnormalities exist. However, Ye/Lundahl fail to explicitly disclose the further limitation 
of wherein the step of detemnining from the statistical data whether each of the one or 
more clusters is abnormal comprises the step of detecting one or more intrusions from 
statistical data of source IP address data, destination IP address data and signature 
data. Sekar discloses determining abnonnalities in data, wherein abnormalities 
comprise intrusions in a network (see abstract), including wherein the step of 
determining from the statistical data whether one or more abnormalities exist further 
comprises the step of detecting one or more intrusions from statistical data of source IP 
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address data, destination IP address data and signature data (Sekar: see [0032]) in 
order to Increase tlie speed and efficiency at which intrusions can be detected in a large 
sample of data. 

It would have been obvious to one of ordinary skill in the art to use the IP 
address and signature data collected by Sekar as the data being clustered by 
Ye/Lundahl. One would have been motivated to do so in order to increase the speed 
and efficiency at which intrusions can be detected in a large sample of data. 

Referring to claim 23, the claim is rejected on the same grounds as claim 8. 

Referring to claim 28, the claim is rejected on the same grounds as claim 13. 

Referring to claim 29, the claim is rejected on the same grounds as claim 14. 

Referring to claim 30, the claim is rejected on the same grounds as claim 15. 

Response to Arguments 

12. Applicant's arguments with respect to claims 1-31 have been considered but are 
moot in view of the new ground(s) of rejection. 

Conclusion 

13. The prior art made of record and not relied upon is considered pertinent to 
applicant's disclosure. 

• The article "COOLCAT: An entropy-based algorithm for categorical clustering" to 
Barbara et al. 
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